What started last week as a series of reports on domestic spying by the NSA took a turn towards cyber security on Friday when Glenn Greenwald and Ewen MacAskill of The Guardian published the top secret Presidential Policy Directive 20 (PPD–20), which deals with U.S. policy and planning for cyber conflict. Like the other documents that The Guardian released, this one largely confirmed what those who pay close attention to these issues already knew: the United States is working to build up its offensive cyber warfare capabilities. But the document provides other insights as well, and perhaps even a small measure of consolation for cyber war critics.
First, we know from reporting by the New York Times this time last year that the United States has already engaged in offensive cyber attacks with the use of Stuxnet against Iranian nuclear facilities. Over the last year, other reports have pointed to various indicators of the United States’s preparations for offensive cyber warfare. By calling attention to that portion of PPD–20 that directs DoD and the intelligence community to draw up a list of possible targets for “Offensive Cyber Effects Operations (OCEO)” (p. 3), Greenwald and MacAskill have provided one more important bit of information about how U.S. plans for possible offensive cyber warfare are proceeding.
Second, PPD–20 provides an interesting tidbit related to cyber intelligence. Following the hack of HBGary Federal in 2011, various observers took note of the growing number of companies providing technologies and services for cyber intelligence to the U.S. government. One such technology was “persona management” software that can be used to facilitate online information gathering and perception management operations. Though the evidence for the existence of such tools and techniques seemed solid, some still questioned their reality. But PPD–20 makes reference to “the use of online personas” as a tool for “human intelligence operations undertaken via the Internet” (p. 5). This provides another, powerful piece of evidence for the reality of persona management.
Third, the document might provide some measure of consolation for cyber war critics. Though news of the President’s order to draw up a list of targets and circumstances for which cyber capabilities might be appropriate is a disappointing development for those of us who wish the Internet were not becoming a battlefield, it is not surprising that policy makers and planners are carrying out this kind of exercise. It is routine and makes sense. If you are going to have a weapon/capability, you should think in advance about when, where, against whom, and with what effects that capability/weapon can be used. So yes, it’s disappointing to see one more step towards the militarization of the Internet and the possibility of cyber war. On the other hand, if we are going to have cyber weapons – and it appears that is all but inevitable at this point – better to think carefully about how they will and won’t be used than not.
This is where we see one aspect of how some of the document might help to allay critics’ concerns. One of the biggest criticisms that many had of the Stuxnet operation (myself included) was that it seemed to have been carried out without adequate thought given to the larger implications. This document appears to initiate a process meant to engage in such thought. The document identifies a number of criteria to be considered when deciding upon the use of defensive and offensive cyber effects operations, including “impact,” “risks,” “methods,” “geography and identity,” “transparency,” and “authorities and civil liberties” (p. 13). Thomas Rid of the War Studies Department at Kings College asked this week, “How would the authors of #PPD20 assess Stuxnet in hindsight against their own criteria?” His answer, “Probably ambiguous.” He pointed to the possibility for economic retaliation and “the establishment of unwelcome norms of international behavior” as at least two areas where the Stuxnet operation would likely fall short of PPD–20’s criteria. He is likely correct. On the other hand, given the firestorm of criticism that followed revelations of Stuxnet, perhaps PPD–20’s criteria can be read as a lesson learned and a commitment not to repeat the mistakes of Stuxnet. Only time will tell.
Increasingly bellicose rhetoric in the U.S. public discourse about cyber warfare combined with revelations of the Stuxnet operation have led myself and others to worry that the United States was perhaps getting trigger happy with its cyber capabilities and that it had a too simplistic and overly optimistic idea of how those capabilities could realistically be used. But, there are elements of PPD–20 that, if truly heeded by planners, should help to allay those fears.
First, critics have noted that the dense interconnectivity of cyberspace, which spans geographic boundaries, places serious limitations on the ability to precisely target and then control the effects of a cyber attack. Stuxnet’s escape into the “wild” soon emerged as an important piece of evidence in support of this caveat. We might take some comfort, therefore, in the fact that PPD–20 acknowledges that the global interconnectivity of cyberspace means that both defensive and offensive cyber operations, “even for subtle or clandestine operations, may generate cyber effects in locations other than the intended target, with potential unintended or collateral consequences that may affect U.S. national interests in many locations” (p. 6). A true appreciation of this possibility should serve to restrain the United States’s use of cyber attacks. Again, only time will tell if this lesson has truly been understood by U.S. policy makers.
Second, though the document does confirm the President’s belief that “OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world” and therefore calls for the U.S. Government to “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness” (p. 9), it also recognizes the considerable difficulties in accomplishing this task. Some cyber war proponents have tended to talk about cyber weapons as though they are munitions like any other, that they can be created easily and cheaply, stored up, and then used at lightening speed on any target. They have pointed to Stuxnet as evidence of this latest revolution in military affairs. Others, however, have seen in Stuxnet an example of the costs and complexity of developing and deploying such weapons, as well as their limited operational effectiveness [PDF]. This is because cyber weapons with the greatest potential effectiveness are those tailored to their targets. This tailoring, however, is complex, costly, and in need of constant updating as the target and the wider environment change. PPD–20 recognizes this fact when it says, “The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist” (9).
Taken together, the application of the criteria laid out in PPD–20, its recognition of the difficulties of targeting and containing the effects of cyber attacks, and its acknowledgement of the considerable time and effort needed to develop a targeted, contained, and effective cyber weapon should all serve to constrain the United States’ use of cyber attack. Of course, the key word here is “should.”
It is certainly disappointing that the problem of cyber security is still being framed primarily as a national security and military problem and, as such, the United States continues its march towards the militarization of cyberspace. Nonetheless, there are several possible benefits to the public availability of PPD–20.
First, one action item at the end of PPD–20 is to develop a communication plan to explain the policy to the public. Ironically, the leak of this document might make that job easier. The public availability of PPD–20 helps to clarify for the public what its government’s understanding of and preparation for cyber warfare does and does not entail.
Second, PPD–20 could help to change the public discourse about cyber warfare. On the whole, the language in PPD–20 is less bellicose than much of the rhetoric that has come to dominate the public discussion of this issue. If truly appreciated and applied, the caveats and criteria identified in PPD–20, though they will not stop the United States’s development of offensive cyber warfare capabilities, should serve to restrain the use of those capabilities. The kind of sober assessment found in PPD–20, which acknowledges the potential negative impacts of and limitations to the use of cyber attack, should replace the sometimes overheated and overly optimistic public discourse about cyber warfare.
Finally, the public and the press now have an agreed-upon criteria against which to judge future calls by politicians or others for the use of offensive cyber attacks. The public can hold them to account for following “their own criteria,” as Rid has said, because now we know what the criteria is. And there is no room in that criteria for the kind of cyber warmongering that has become all too prominent recently.
(This post first appeared at Forbes.com.)